Cloud Controls Matrix

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• Call for participation in CCMv4 - IBM FS Cloud and CCMv4 - CRI FS Profile mapping activities.
• CSA would like to develop a CCMv4 Feedback Collection Tool/Process. Your comments for developing the tool's requirements is needed (see agenda point 4)
• CCMv4 SSRM guidelines. Let us know if you have CCMv4 implementation experience and you would like to be part of such guidelines development.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below the usual summary of minutes from recent CCM WG call sessions.

Agenda Items (AIs):

1. CCMv4.0 auditing guidelines development
2. CCMv4.0 mapping & gap analysis exercises
3. CSA Established Partnerships
4. Feedback Collection Process/Tool
5. SSRM Guidelines Development
6. AoB

Meeting Minutes (MMs):

1. CCMv4.0 auditing guidelines development

• The CCMv4 auditing guidelines development is completed and the document is published in both excel (as part of CCM excel spreadsheet) and pdf formats.

2. CCMv4.0 mapping & gap analysis exercises

• CSA will be publishing two additional CCMv4.0 mappings to PCI DSS v3.2.1 and NIST 800-53r5, on February 10th. Please stay tuned.
• Further discussions involve updating the current mapping of CCMv4.0 to ISO/IEC 27001/02/17/18 based on the latest update of ISO 27002 Final Draft International Standard (FDIS)

3. CSA Established Partnerships

a. CSA has established a partnership with IBM with one of the objective being the alignment of CCMv4.0 with IBM's Cloud framework for financial services.

• The CCM WG jointly with IBM are conducting the forward mapping of CCM v4.0 to IBM FS Cloud. The exercise is close to its completion.
• Next steps will involve the reverse mapping of IBM FS Cloud to CCM v4.0. 
• Members who wish to participate in the reverse mapping exercise are kindly invited to contact me.

b.  CSA has established a partnership with the Cyber Risk Institute (CRI) with one of the objective being the alignment of CCMv4.0 with CRI's Profile for financial services.

• The CCM WG is tasked with conducting a mapping activity of CCMv4.0 and CRI FS Profile.
• Members who wish to participate in the mapping exercise are kindly invited to contact me.

4. Feedback Collection Process/Tool

• Version 4.0 of the CCM was released in January 2021. A year later, CCM leadership has begun discussions for the next "dot" release of CCMv4.1, expected end of 2023, which will involve possible new additions or updates to its existing CCM control specifications and underlying components (CAIQ, implementation and auditing guidelines, metrics, etc).
• The purpose of this project is to define and develop a permanent process and tool that will be available online (e.g., via CSA website) and that will allow CSA to collect feedback from the cloud community and members with regards to future updates to the CCM.
• A draft description of the requirements and expected functionality of the process/tool can be found here. Your comments are always greatly appreciated.

5. SSRM Guidelines Development

• CSA would like to embark on another great project for 2022, that is, developing guidelines that will be based on the Shared Security Responsibility Model (SSRM), in support of current SSRM-based CCMv4.0 controls (STA-01 to 06), applicability matrix and CAIQv4 SSRM questionnaire.
• The project is currently at a planning phase, nevertheless would like to discuss and collect participation interests by any professionals who are experienced in the implementation of CCMv4 or other cloud security controls and might be interested in working on this project.

6. AoB

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

Action Points (APs)
No action points defined.

Please let me know if you have any questions/comments.
Thank you all for your being active and supporting the CCMv4 development.
Best regards,


------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------

Hi Eleftherios,
I am Deb Mukherjee, associate director cloud risk compliance in Royal Bank of Canada. I am new to this group and joined my first CCM WG session today. Trying to understanding the everyone's thought on the call. Do we have any upcoming call for recap what we have done so far so I can start help from my end instead just joining.

Thanks,
Deb Mukherjee
CISSP, GCP, CBCP
RBC

------------------------------
Debjyoti Mukherjee
RBC Global Asset Management US Inc
RBC Global Asset Management US Inc
------------------------------

Original Message:
Sent: Feb 01, 2022 06:41:53 AM
From: Eleftherios Skoutaris
Subject: CCMv4 Development Activities Update (2/1/22)

Dear members,
                      please find below a recent update to the current activities of the CCM WG and additional information on how you may contribute.

Brief summary:

• Call for participation in CCMv4 - IBM FS Cloud and CCMv4 - CRI FS Profile mapping activities.
• CSA would like to develop a CCMv4 Feedback Collection Tool/Process. Your comments for developing the tool's requirements is needed (see agenda point 4)
• CCMv4 SSRM guidelines. Let us know if you have CCMv4 implementation experience and you would like to be part of such guidelines development.
• CCM WG experts who have contributed to CSA CCMv4 related publications can now have their profiles displayed at the CSA website by filling out this form.

Please find below the usual summary of minutes from recent CCM WG call sessions.

Agenda Items (AIs):

1. CCMv4.0 auditing guidelines development
2. CCMv4.0 mapping & gap analysis exercises
3. CSA Established Partnerships
4. Feedback Collection Process/Tool
5. SSRM Guidelines Development
6. AoB

Meeting Minutes (MMs):

1. CCMv4.0 auditing guidelines development

• The CCMv4 auditing guidelines development is completed and the document is published in both excel (as part of CCM excel spreadsheet) and pdf formats.

2. CCMv4.0 mapping & gap analysis exercises

• CSA will be publishing two additional CCMv4.0 mappings to PCI DSS v3.2.1 and NIST 800-53r5, on February 10th. Please stay tuned.
• Further discussions involve updating the current mapping of CCMv4.0 to ISO/IEC 27001/02/17/18 based on the latest update of ISO 27002 Final Draft International Standard (FDIS)

3. CSA Established Partnerships

a. CSA has established a partnership with IBM with one of the objective being the alignment of CCMv4.0 with IBM's Cloud framework for financial services.

• The CCM WG jointly with IBM are conducting the forward mapping of CCM v4.0 to IBM FS Cloud. The exercise is close to its completion.
• Next steps will involve the reverse mapping of IBM FS Cloud to CCM v4.0. 
• Members who wish to participate in the reverse mapping exercise are kindly invited to contact me.

b.  CSA has established a partnership with the Cyber Risk Institute (CRI) with one of the objective being the alignment of CCMv4.0 with CRI's Profile for financial services.

• The CCM WG is tasked with conducting a mapping activity of CCMv4.0 and CRI FS Profile.
• Members who wish to participate in the mapping exercise are kindly invited to contact me.

4. Feedback Collection Process/Tool

• Version 4.0 of the CCM was released in January 2021. A year later, CCM leadership has begun discussions for the next "dot" release of CCMv4.1, expected end of 2023, which will involve possible new additions or updates to its existing CCM control specifications and underlying components (CAIQ, implementation and auditing guidelines, metrics, etc).
• The purpose of this project is to define and develop a permanent process and tool that will be available online (e.g., via CSA website) and that will allow CSA to collect feedback from the cloud community and members with regards to future updates to the CCM.
• A draft description of the requirements and expected functionality of the process/tool can be found here. Your comments are always greatly appreciated.

5. SSRM Guidelines Development

• CSA would like to embark on another great project for 2022, that is, developing guidelines that will be based on the Shared Security Responsibility Model (SSRM), in support of current SSRM-based CCMv4.0 controls (STA-01 to 06), applicability matrix and CAIQv4 SSRM questionnaire.
• The project is currently at a planning phase, nevertheless would like to discuss and collect participation interests by any professionals who are experienced in the implementation of CCMv4 or other cloud security controls and might be interested in working on this project.

6. AoB

• Please navigate to the 'Events' tab here in Circle to find the call information for the upcoming CCM WG meetings.

Action Points (APs)
No action points defined.

Please let me know if you have any questions/comments.
Thank you all for your being active and supporting the CCMv4 development.
Best regards,


------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------